Vulnerability Details CVE-2013-7285
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.151
EPSS Ranking 94.2%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- http://seclists.org/oss-sec/2014/q1/69
- http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
- https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html
- https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://x-stream.github.io/CVE-2013-7285.html
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- http://seclists.org/oss-sec/2014/q1/69
- http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
- https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html
- https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://x-stream.github.io/CVE-2013-7285.html
Products affected by CVE-2013-7285
-
cpe:2.3:a:apache:activemq:5.15.8
-
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0
-
cpe:2.3:a:xstream:xstream:-
-
cpe:2.3:a:xstream:xstream:0.2
-
cpe:2.3:a:xstream:xstream:0.3
-
cpe:2.3:a:xstream:xstream:0.4
-
cpe:2.3:a:xstream:xstream:0.5
-
cpe:2.3:a:xstream:xstream:0.6
-
cpe:2.3:a:xstream:xstream:1.0
-
cpe:2.3:a:xstream:xstream:1.0.1
-
cpe:2.3:a:xstream:xstream:1.0.2
-
cpe:2.3:a:xstream:xstream:1.1
-
cpe:2.3:a:xstream:xstream:1.1.1
-
cpe:2.3:a:xstream:xstream:1.1.2
-
cpe:2.3:a:xstream:xstream:1.1.3
-
cpe:2.3:a:xstream:xstream:1.2
-
cpe:2.3:a:xstream:xstream:1.2.1
-
cpe:2.3:a:xstream:xstream:1.2.2
-
cpe:2.3:a:xstream:xstream:1.3
-
cpe:2.3:a:xstream:xstream:1.3.1
-
cpe:2.3:a:xstream:xstream:1.4
-
cpe:2.3:a:xstream:xstream:1.4.1
-
cpe:2.3:a:xstream:xstream:1.4.10
-
cpe:2.3:a:xstream:xstream:1.4.2
-
cpe:2.3:a:xstream:xstream:1.4.3
-
cpe:2.3:a:xstream:xstream:1.4.4
-
cpe:2.3:a:xstream:xstream:1.4.5
-
cpe:2.3:a:xstream:xstream:1.4.6